fix 2-sec-roles

yanivpaz · May 4, 2020 · 59772fd · 59772fd
1 parent f1a2d19
commit 59772fd
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 30 deletions.
diff --git a/1-dev-vpc/commands.txt b/1-dev-vpc/commands.txt
@@ -1,5 +1,16 @@
-aws config
+# Run the aws configure command to set your access and secret keys
+aws configure
 
+# Rename the terraform.tfvars.example file to terraform.tfvars and change the region
+# to your desired region
+
+# Initialize the terraform configuration
 terraform init
+
+# Plan the terraform deployment
 terraform plan -out vpc.tfplan
-terraform apply "vpc.tfplan"
+
+# Apply the deployment
+terraform apply "vpc.tfplan"
+
+# Do not destroy the VPC until you have completed the next module
diff --git a/1-dev-vpc/main.tf b/1-dev-vpc/main.tf
@@ -24,7 +24,7 @@ variable "public_subnets" {
 
 provider "aws" {
   version = "~> 2.0"
-  region = var.region
+  region  = var.region
 }
 
 #############################################################################
@@ -41,15 +41,15 @@ module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "2.33.0"
 
-  name = "main-vpc"
+  name = "dev-vpc"
   cidr = var.vpc_cidr_range
 
-  azs = slice(data.aws_availability_zones.available.names, 0, 1)
+  azs            = slice(data.aws_availability_zones.azs.names, 0, 1)
   public_subnets = var.public_subnets
 
   tags = {
-      Environment = "dev"
-      Team = "infra"
+    Environment = "dev"
+    Team        = "infra"
   }
 
 }

diff --git a/1-dev-vpc/terraform.tfvars.example b/1-dev-vpc/terraform.tfvars.example
@@ -0,0 +1 @@
+region = "us-east-1"
diff --git a/2-sec-roles/commands.txt b/2-sec-roles/commands.txt
@@ -0,0 +1,12 @@
+# You will be using two AWS profiles
+# infra will be a user in the infrastructure account
+# sec will be a user in the development account
+# You will need to have created these users in the console already
+
+aws configure --profile infra
+
+# Provide the Access and Secret keys
+
+aws configure --profile sec
+
+# Provide the Access and Secret keys
diff --git a/2-sec-roles/main.tf b/2-sec-roles/main.tf
@@ -8,7 +8,7 @@ variable "region" {
 }
 
 variable "peering_users" {
-    type = list(string)
+  type = list(string)
 }
 
 #############################################################################
@@ -17,15 +17,15 @@ variable "peering_users" {
 
 provider "aws" {
   version = "~> 2.0"
-  region = var.region
-  alias = "infra"
+  region  = var.region
+  alias   = "infra"
   profile = "infra"
 }
 
 provider "aws" {
   version = "~> 2.0"
-  region = var.region
-  alias = "sec"
+  region  = var.region
+  alias   = "sec"
   profile = "sec"
 }
 
@@ -34,11 +34,11 @@ provider "aws" {
 #############################################################################
 
 data "aws_caller_identity" "infra" {
-    provider = aws.infra
+  provider = aws.infra
 }
 
 data "aws_caller_identity" "sec" {
-    provider = aws.sec
+  provider = aws.sec
 }
 
 #############################################################################
@@ -48,8 +48,8 @@ data "aws_caller_identity" "sec" {
 # Create a policy to allow peering acceptance
 
 resource "aws_iam_role_policy" "peering_policy" {
-  name = "vpc_peering_policy"
-  role = aws_iam_role.peer_role.id
+  name     = "vpc_peering_policy"
+  role     = aws_iam_role.peer_role.id
   provider = aws.sec
 
   policy = <<-EOF
@@ -72,7 +72,7 @@ resource "aws_iam_role_policy" "peering_policy" {
 # Create a role that can be assumed by the infra account
 
 resource "aws_iam_role" "peer_role" {
-  name = "peer_role"
+  name     = "peer_role"
   provider = aws.sec
 
   assume_role_policy = <<-EOF
@@ -95,16 +95,16 @@ resource "aws_iam_role" "peer_role" {
 # Create a group that can accept peering connections
 
 resource "aws_iam_group" "peering" {
-  
-  name = "VPCPeering"
+
+  name     = "VPCPeering"
   provider = aws.infra
 
 }
 
 # Add members to the group
 
 resource "aws_iam_group_membership" "peering-members" {
-  name = "VPCPeeringMembers"
+  name     = "VPCPeeringMembers"
   provider = aws.infra
 
   users = var.peering_users
@@ -115,8 +115,9 @@ resource "aws_iam_group_membership" "peering-members" {
 # Create a group policy that can assume the role in sec
 
 resource "aws_iam_group_policy" "peering-policy" {
-    name  = "peering-policy"
-  group = aws_iam_group.peering.id
+  name     = "peering-policy"
+  group    = aws_iam_group.peering.id
+  provider = aws.infra
 
   policy = <<EOF
 {

diff --git a/2-sec-vpc/main.tf b/2-sec-vpc/main.tf
@@ -19,12 +19,12 @@ variable "public_subnets" {
 }
 
 variable "private_subnets" {
-  type = list(string)
+  type    = list(string)
   default = ["10.0.100.0/24", "10.0.101.0/24"]
 }
 
 variable "infra_subnets" {
-  type = list(string)
+  type    = list(string)
   default = ["10.0.200.0/24", "10.0.201.0/24"]
 }
 
@@ -34,7 +34,7 @@ variable "infra_subnets" {
 
 provider "aws" {
   version = "~> 2.0"
-  region = var.region
+  region  = var.region
 }
 
 #############################################################################
@@ -56,14 +56,14 @@ module "vpc" {
   name = "sec-vpc"
   cidr = var.vpc_cidr_range
 
-  azs = slice(data.aws_availability_zones.available.names, 0, 1)
-  public_subnets = var.public_subnets
+  azs             = slice(data.aws_availability_zones.available.names, 0, 1)
+  public_subnets  = var.public_subnets
   private_subnets = var.private_subnets
-  infra_subnets = var.infra_subnets
+  infra_subnets   = var.infra_subnets
 
   tags = {
-      Environment = "all"
-      Team = "security"
+    Environment = "all"
+    Team        = "security"
   }
 
 }